If random data is prepended to a file encrypted with GNUPG's symmetric encryption, how may an attacker find out if the input file is deliberately corrupted or the passphrase is wrong?

If it is not easily ascertainable from which offset the actual encrypted data starts, is there any added security in always prepending a few kilobytes to an encrypted file in order to slow down an attacker?

In order to brute force the file, the attacker must start at offset 0 and continue incrementally with all likely passphrases until he gets a match.

Here I am assuming perhaps incorrectly that there is no magic number easily identifying the file as encrypted with GNUPG or there is no validation of the contents without trying the passphrase.

But if this assumption does not hold for GNUPG, what about Truecrypt's file based containers?

So far I know Truecrypt file based containers are indistinguishable from random noise, but the size gives away that the file may be a Truecrypt container.

If my TC container's actual size is 5 GB, and I prepend it with 5 GB random data, will brute forcing by an attacker who doesn't know the real offset be too costly?

Is there any design reason why crypto software do not let the user select the start offset for decryption in addition to the passphrase?

1 Answer
1

It's much easier to add a cost factor to the key derivation from the password than to add a lot of data to an encrypted container. See the PBKDF's PBKDF2, bcrypt and scrypt for more information, or see this Q/A for GPG. In general, an iteration to derive the key is of course much more efficient than adding overhead at the start of the file.

If a key with an entropy over 100 bits and if there are no vulnerabilities in the encryption routine (this is likely true for GPG / CAST5) then brute forcing the key is already not possible, and the measly amount of time required to decrypt a small amount of data is not much of an additional deterrent.

Note that CBC mode encryption can be decrypted from any location in the ciphertext, as long as the previous ciphertext block is available. As for the trick with the truecrypt volumes (wasn't that software deprecated?), how would you know as a legit user where to start reading/writing?